02-19-2023 10:41 PM
Hello everyone. I need help about bioc rules. I found a lot of ioc rules from other source. But I dont know how can I change that ioc rules to BIOC rules. Thats really so big problem for me and I can't figure out. Who can help me about that? Thanks in advance.
03-01-2023 01:04 AM
Hi @Ajhuge ,
Can you please clarify what are you trying to achieve?
I am probably missing your point, but IOC and BIOC are two different thinks:
- IOC are "static" indicator like known bad IP, domain, file hash, file name etc. XDR allow you to manually add IOC one at time, or bulk import from file. Working with IOCs • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation p...
- BIOC are behavior indicator, where using XQL query you can define what behaviors/actions/series of related actions could be suspicious. Working with BIOCs • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation ...
You don't need to create BIOC to look for IOC. XDR will raise alert whenever defined IOC is detected.
If you want to import IOC from external Threat Intelligence, unfortunately XDR doesn't support "polling" IOC from external source. However you can "push" IOC to XDR using the Rest API - as mentioned in above links this option is available only for Pro per Endpoint license
03-13-2023 06:22 AM
Thanks for the links, and if I still face any issue, I will message you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!